LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-25-2005, 07:49 PM   #1
tebucky
Member
 
Registered: Mar 2004
Posts: 89

Rep: Reputation: 15
ssh and /etc/hosts.all & deny


Hello,
I am running Fedora Core 3 and I'm having issues restricting ssh log in attempts. IT is my understanding that by editing the hosts.allow file & hosts.deny I could limt what IP addresses can access ssh. Here is what I have so far

hosts.allow
sshd : 192.168.1.0/20 xxx.xxx.x.xx

hosts.deny
ALL

So my understanding of this is that it will only allow people that use ssh from my internal LAN and the one IP that is listed. Everyone else is shut off. I restart sshd and it blocks every ssh connection, even the ones on the LAN. Once I comment the lines out ssh works fine. Can anyone tell me what I am doing wrong and also provide a better method to limiting ssh?

TIA
 
Old 01-25-2005, 08:18 PM   #2
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
I could be wrong but I think you have the wrong subnet value here. 20 is for a class A/B value I believe. Your choices for Class C is starting with 24 for full subnet up to 255 per IP.

Are you trying the for a whole class C of 192.168.1.0 then try this.
sshd : 192.168.1.0/24
or
sshd:192.168.1. 63.21.45.2
Second part here is defining one single IP also.

Brian1
" Google the Linux way @ http://www.google.com/linux "
 
Old 01-25-2005, 08:33 PM   #3
tebucky
Member
 
Registered: Mar 2004
Posts: 89

Original Poster
Rep: Reputation: 15
Brian1

I have done what you suggested and it still does not prevent me from ssh'ing to the machine from a "not allowed" host. Here is what I have again in allow & deny

allow
sshd:192.168.1., xxx.xxx.xx.xx

deny
ALL

Any more suggestions?

Thanks
 
Old 01-25-2005, 08:52 PM   #4
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
Try ALL: ALL in your hosts.deny file.

Brian1
" Google the Linux way @ http://www.google.com/linux "

Last edited by Brian1; 01-25-2005 at 08:54 PM.
 
Old 01-25-2005, 09:06 PM   #5
tebucky
Member
 
Registered: Mar 2004
Posts: 89

Original Poster
Rep: Reputation: 15
Brian1

That worked! Thanks.

By the way, is their a way to do this only based on username?
 
Old 01-26-2005, 10:51 AM   #6
tebucky
Member
 
Registered: Mar 2004
Posts: 89

Original Poster
Rep: Reputation: 15
Ok, so this config worked while I was on my LAN, but the remote IP that I have specified in /etc/hosts.allow cannot connect via ssh. Can anyone tell me what I've done wrong?
 
Old 01-26-2005, 06:35 PM   #7
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
Should have read the question better. But glad you have it working now.

Is there a router between the remote IP and sshd machine?
If so you will need to open a port and port forward to sshd.

Are there any firewall rules up between the same or even on the sshd machine itself?
If so need to modify to allow. May require either this one or above.

Brian1
" Google the Linux way @ http://www.google.com/linux "
 
Old 01-27-2005, 03:38 PM   #8
tebucky
Member
 
Registered: Mar 2004
Posts: 89

Original Poster
Rep: Reputation: 15
Brian1...

I figured out why I could not connect remotely.... somehow my machine "stalled out," thus not working. I went home, rebooted and got it up and running and it is now accepting the connection from the IP that I want it to and denying other connections! Thanks!

Q:

Is their a way to run this hosts.allow & deny simultaneously with something that will also accept a specific username no matter where I am trying to connect from? meaning ssh will always allow username "tbrady" to be granted access no matter what IP he is connectiong from?

Does this make sense?
 
Old 01-27-2005, 06:23 PM   #9
Brian1
Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 61
I don't think that can be done. I would edit the config in hosts.allow to allow all ip's to sshd. Edit /etc/ssh/ssh_config and add the following.

DenyUsers all
AllowUsers tebucky

Yes this will allow someone to try to login but if they fail as unkown user and password then they can not get in. If iptables is setup, it can log the attempts, but it can accumalate a lot of attempts even in one week. You can make the sshd port 22 act as a stealth port so it will not show up as an open port if someone scans your IP. Hven't done it with iptables but should be easy from what I hear. Pam might help in more security as well.

Also make sure root is not able to login to sshd. One can add a script to block IP blocks as they come if someone tries to sshd your machine but after 3 logins fail it adds a rule to iptables to block access to a whole class C range. Have done it but its been awhile. I currently do not remember how but found the info on the internet. Google around net or search here.

Read up on the man pages for ssh and pam and other files they mention. Lots of examples in them.

Brian1
" Google the Linux way @ http://www.google.com/linux "
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 10:41 PM
hosts.deny doesn't block an SSH attempt vmattila Linux - Security 4 11-14-2004 01:18 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 04:52 PM
SSH hosts.deny file WoodyH Linux - Security 1 10-11-2003 08:44 AM
hosts.deny and hosts.allow defaults? gui10 Linux - Security 5 12-20-2001 02:57 AM


All times are GMT -5. The time now is 10:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration